Help:SonarQube

SonarQube is a platform for automated code review, static code analysis, and security scanning. It helps developers find bugs, vulnerabilities, and code smells across a codebase. By integrating with CI/CD pipelines, SonarQube provides continuous inspection of projects to enforce coding standards and maintain a healthy codebase before code reaches production.

Behind the scenes, our setup uses the SonarCloud (community edition) service. SonarCloud hosts the SonarQube platform for open source projects, removing the need to manage servers while offering the same static analysis capabilities.

The SonarQube service currently supports:

• Automated scanning of code during your CI/CD pipeline runs
• Detection of common bugs, security issues, and code smells
• Support for a wide variety of programming languages
• Integration with both Gerrit and GitLab projects

The SonarCloud community version supports most modern languages, including: PHP, JavaScript, Kotlin, Kubernetes/Helm, PHP, Python among others

For a full and current list of supported languages, refer to the documentation on supported languages.

To enable SonarQube scanning for a Gerrit-hosted project:

1. Create a project on SonarCloud using the project/extension name and a matching project key.The project key and name should rhyme with the project’s directory path in Gerrit. Incase you do not have access to SonarCloud, log into https://sonarcloud.io/ with your Github/Gitlab email, then create a Phabricator ticket tagging Test-Platform team and someone from the team will create the project for you and add you as a wmftest member.
   • For example, a repository hosted at mediawiki/extensions/CommunityConfiguration should have project as mediawiki-extensions-CommunityConfiguration and project key as mediawiki-extensions-CommunityConfiguration
2. Submit a Gerrit patch to integration/config to trigger the Codehealth pipeline. Locate the project template reference in zuul/layout.yaml and add the following entry under the templates section:

     - name: extension-codehealth
   

   This ensures the Codehealth pipeline runs when a patch is submitted. An example patch can be seen at Gerrit change 1009283.

To enable SonarQube scanning for a GitLab project:

1. Create a project on SonarCloud using the GitLab project name.
   • Project name: use the GitLab project name (e.g. `gobblin-wmf`)
   • Project key:prefix the project name with 'wmftest_' e.g. 'wmftest_gobblin-wmf'
2. After creating the project, SonarCloud will present a token for authentication. Copy this token.
3. In your GitLab project, go to Settings → CI/CD →Variables and create a new variable:

     Name: SONAR_TOKEN #Variable name
     Value: the token provided by SonarCloud #Check only Masked and Expand variable reference
   

4. Update your .gitlab-ci.yml file to include the SonarQube CI template. For Java projects use:

     include:
      - project: repos/test-platform/sonarqube
        ref: main
        file: templates/maven-sonar-ci.yml
   

   For other languages use:

     include:
      - project: repos/test-platform/sonarqube
        ref: main
        file: templates/sonar-ci.yml
   

5. Make sure your .gitlab-ci.yml defines a test stage, as SonarQube runs in this stage:

   stages:
     - test
   

Further details are available in the template’s README.

• Verify that the SonarCloud project key matches the repository path or naming convention.
• Ensure the SONAR_TOKEN variable is properly set and masked.
• For Gitlab projects, If scans do not trigger, confirm that your .gitlab-ci.yml includes a test stage and the correct SonarQube template.
• A common Gerrit error:

ERROR: Could not find a default branch for project with key 'mediawiki-extensions-TestKitchen'. Make sure project exists.

#This error indicates that the project does not exist in our SonarCloud instance. To resolve this, log in and create the project at https://sonarcloud.io/organizations/wmftest/projects using the same key. If you do not have an account or the required permissions, please refer to the support section below.

For questions, issues, or requests (such as creating a new SonarCloud project or increasing quotas):

• Create a task on Phabricator and tag the Test-Platform team.
• Refer to the SonarQube GitLab template README for advanced configuration details.